Routing

George Coularis, Jean Dollimore

and Tim Kindberg
portions from George Blank

NJIT

Routing

Except for LANS like Ethernet that provide direct

connections between all hosts, networks require a
process called routing to identify a path for
communications to travel between nodes. In large
networks, adaptive routing is used, analyzing the
best path between nodes periodically to avoid
congestion and faults such as broken connections.
Routing on a network is the collective
responsibility of the routers located at connection
points between networks or subnets.

A Small Personal Router

The Linksys EtherFast

Cable/DSL Router
connects the Internet to
a home or small office
Ethernet LAN of up to 4
computers or other
devices. It is combined
with an Ethernet
connection switch to
link the devices.

List Price: about $80 in 2006

A Large CISCO Router

The Cisco uBR10012

Universal Broadband
Router shown here
supports 64,000
subscribers.
It is a powerful
commercial router
that cost about
$20,000 in 2006.

Routing Algorithms

Determining the best path between network

nodes is done by routing algorithms. A routing
algorithm has two parts:
Determine the path taken by each packet in
an efficient manner to avoid degrading
network performance
Monitor traffic and changes to the network to
maintain information on the best paths
through the network

Localized Routing

Routing algorithms are distributed through the

network. Each router reads the address of each
packet and decides where to send that packet next.
Locally held information at each router includes the
status of its direct links including information on
congestion and link failures.
Link tables include various routings and their current
known cost in terms of the number of hops to get to
a particular destination. An algorithm seeking a path
to a new destination can request information from
other routers.

Timeouts

The Internet uses a timeout mechanism to

identify a message connection failure. It uses a
default timing such as 256 seconds. The same
number may be used as a hop counter. A router
decrements a counter by 1 each time a packet
passes through a router. If the counter reaches
zero the packet is discarded. If the originating
system does not receive a response within the
designated time, a 404 error is displayed.

Routing on a local sub net

Packets addressed to hosts on the same

network are transmitted to the destination
in a single hop. Otherwise the packets
must be sent to a router for transmission.

Routing Algorithm Example

The Coulouris text shows a sample network (figure

3.7) and routing table (figure 3.8) and discusses a
simple routing algorithm in section 3.3. Those
slides are shown following this one, but are difficult
to use in class because they require frequent
switching back and forth between slides to
understand the process. Students are expected to
understand that example well enough to explain
routing algorithms on a test.

Figure 3.7 Network Diagram

A
Hosts
or local
networks

B
2

Links

C
5

E
Routers

Coulouris et al

Figure 3.8 Link Table

Routings from A
To
Link
Cost
A
local
0
B
1
1
C
1
2
D
3
1
E
1
2

Routings from B
To
Link
Cost
A
1
1
B
local
0
C
2
1
D
1
2
E
4
1

Routings from D
To
Link
Cost
A
3
1
B
3
2
C
6
2
D
local
0
E
6
1

Coulouris et al

Routings from C
To
Link
Cost
A
2
2
B
2
1
C
local
0
D
5
2
E
5
1

Routings from E
To
Link
Cost
A
4
2
B
4
1
C
5
1
D
6
1
E
local
0

Figure 3.9 Routing Algorithm

part 1
Send: Each t seconds or when Tl changes, send Tl on
each non-faulty outgoing link.
Receive: Whenever a routing table Tr is received on
link n:
for all rows Rr in Tr {
if (Rr.link | n) {
Rr.cost = Rr.cost + 1;
Rr.link = n;
if (Rr.destination is not in Tl) add Rr to
Tl;
// add new destination to Tl (Continued)

Figure 3.9 Routing Algorithm

part 2
else for all rows Rl in Tl {
if (Rr.destination = Rl.destination and
(Rr.cost < Rl.cost or Rl.link = n)) Rl
= Rr;
// Rr.cost < Rl.cost : remote node has
better route
// Rl.link = n : remote node is more
authoritative
}

}
}

Coulouris et al

Routing Table Animation

B
A
C

D
E
F
G

Routings From A
To Link Cost
A Local 0
B
1
B
B
2
C
D
E
2
E
1
E
F
E
3
G E
4

Fault Handling

When a router detects a broken link or similar

failure, it reacts by setting the cost to reach that
link to infinity. This cost will propagate to
neighboring nodes until a node is reached
where a link is active and therefore has a
smaller cost. This will propagate back through
neighboring router tables to create a new
shortest path to the nodes that were connected
through the broken link.

Network Congestion

When the load at any particular link reaches

capacity, nodes trying to send traffic through that
link will find their traffic blocked. This results in
available buffer space filling up until nodes must
refuse traffic and discard incoming packets. If
this condition is temporary, it is self correcting as
dropped packets are retransmitted. However, if
congestion is substantial or prolonged, the effect
on network performance is catastrophic.

Congestion Control

In general, the approach to controlling congestion is

to inform nodes along the route that congestion is
occurring and requesting those nodes to reduce
their rate of packet transmission.
On the Internet, a large portion of packets are
derived from human interaction, and people
become frustrated and cease making requests to
overly busy nodes, which reduces congestion. In
some cases, denial of service attacks have
deliberately congested prominent Internet sites.

Firewalls

With the Internet consisting of many nodes

operated by many people, security problems are
inevitable. Commercial enterprises would not wish
employees access to gambling and pornography
during working hours. Many trade secrets are in
company files, and industrial espionage must be
discourages. Viruses, denial of service attacks and
other threats must be contained. One approach to
these problems is to isolate a more trusted domain
from the rest of the Internet. This is done with
hardware and software firewalls.

Firewall Security Policies

Service Control: Permit some Internet services

to be accessed and deny others.
Behavior Control: Deny activities that violate
the organizations policies or which open the
organization to attack or compromise.
User Control: Allow only properly identified
persons access to the network, ensure that any
identified users can only access resources that
are permitted to perform their jobs, and keep
audit records to identify improper activities.

Implementing a Firewall

Firewalls use different ways to identify

threats:
IP Packet Filtering
TCP Gateways
Application Level Gateways
Gateways are often implemented on
separate computers referred to as
bastions.

IP Packet Filters

Packet filters look at address and service

fields in packet headers and block packets
that are addressed to blocked addresses or
are otherwise likely to be problems. They
may block particular ports known to be used
by problematic services. For example, a
firewall may prevent use of NFS servers by
external clients by blocking port 2049.

A Software Filter

TCP Gateway

A TCP Gateway process checks all

requests to connect or transmit data. It
ensures that TCP segments are formatted
correctly and that the connections can be
controlled. If desired, the connection
requests are then passed to an
application-level gateway for content
checking.

Application Level Gateway

An Application Level Gateway acts as a

proxy for an application process. For
example, if an application wants to perform
an action like making a connection, it can
request the Gateway to do that instead. By
denying direct access to the activity, the
Gateway can verify addresses and data
and perform security checks.

Bastions

When gateway processes are required, they are

often run on a separate computer called a bastion
(i.e. fortress). Where security needs are strict, the
bastion can be located in a subnet that controls all
access to the protected network, with a router on
the protected network and another on the network it
is being protected from. This can hide all the
addresses and even the existence of the hosts on
the protected network from the rest of the world,
and also provides a second router if the security on
the first fails.

Figure 3.21 Firewalls

a) Filtering router
Router/
f ilter

Protec ted intranet

Internet
web/ftp
serv er
b) Filtering router and bas tion

R/filter Bastion

Internet
web/ftp
serv er

c) Screened subnet f or bastion

R/filter Bastion

Internet
web/ftp
serv er

Coulouris et al

R/filter

Virtual Private Networks (VPN)

The protection of a firewall boundary can be

extended beyond the protected network by use
of a Virtual Private Network. This combines
encryption, tunneling, and secure authentication
to create a protected link between secure
systems across a public network.
A VPN connection increases system overhead
and reduces throughput, so it may not be
practical if high performance is required.

A VPN Client
(details hidden for security purposes)

Classroom Team Exercise

A

1) Make a routing table for A

2) Revise the link as if the link from C to E was broken

Template for Exercise

Routings from A
To
Link
A
B
C
D
E
F

Cost

Bibliography

George Coularis, Jean Dollimore and Tim

Kindberg, Distributed Systems, Concepts and
Design, Addison Wesley, Fourth Edition, 2005
Figures from the Coulouris text are from the
instructors guide and are copyrighted by
Pearson Education 2005
Router illustrations and product information from
CISCO and Linksys Web sites